b'     Statement of Gregory H. Friedman\n\n             Inspector General\n\n         U.S. Department of Energy\n\n\n                 Before the\n\nSubcommittee on Oversight and Investigations\n\n                   of the\n\n    Committee on Energy and Commerce\n\n       U.S. House of Representatives\n\n\n\n\n                                 FOR RELEASE ON DELIVERY\n                                                      9:30 AM\n                                         Friday, April 20, 2007\n\x0cMr. Chairman and members of the Subcommittee, I am pleased to be here at your request to\n\ntestify on the concerns expressed in your April 5th letter regarding operations at the Los Alamos\n\nNational Laboratory.\n\n\n\nBackground\n\nIn January of this year, I testified before this Subcommittee on the special inquiry conducted by\n\nmy office regarding the diversion of classified data from the Los Alamos National Laboratory.\n\nSpecifically, at the request of the Secretary of Energy, we examined the efforts of the\n\nDepartment and its contractors to protect classified information and the steps that were taken to\n\nensure that only authorized individuals had access to such information. Our report on this matter\n\nwas issued on November 27, 2006.\n\n\n\nOffice of Inspector General Review\n\nThe Office of Inspector General (OIG) found that the security environment at Los Alamos was\n\ninadequate, despite the expenditure of millions of dollars by the National Nuclear Security\n\nAdministration to upgrade various components of the Laboratory\xe2\x80\x99s security apparatus.\n\n\n\nIn particular, related to the cyber security control structure, we found that:\n\n   \xe2\x80\xa2   Certain computer ports, which could have been used to inappropriately migrate\n\n       information from classified systems to unclassified devices and computers, had not been\n\n       disabled;\n\n   \xe2\x80\xa2   Classified computer racks were not locked;\n\n\n\n\n                                                  1\n\x0c   \xe2\x80\xa2   Certain individuals were inappropriately granted access to classified computers and\n\n       equipment to which they were not entitled;\n\n   \xe2\x80\xa2   Computers and peripherals that could have been used to compromise network security\n\n       were introduced into a classified computing environment without approval; and,\n\n   \xe2\x80\xa2   Critical security functions had not been adequately separated, essentially permitting\n\n       system administrators to supervise themselves and override controls.\n\n\n\nIn many cases, Laboratory management and staff had not: developed policies necessary to\n\nprotect classified information, enforced existing safeguards, or provided the attention or\n\nemphasis necessary to ensure protective measures were adequate. Some of the security policies\n\nwere conflicting or applied inconsistently. We also found that Laboratory and Federal officials\n\nwere not as aggressive as they should have been in conducting security reviews and physical\n\ninspections. In short, our findings raised serious concerns about the Laboratory\xe2\x80\x99s ability to\n\nprotect both classified and sensitive information systems.\n\n\n\nThe OIG also reviewed certain aspects of the security clearance process in place for Laboratory\n\nemployees. We identified particular weaknesses associated with this program which were\n\ndiscussed in a closed session of this Subcommittee in January of this year.\n\n\n\nDepartmental Response\n\nAfter this incident was discovered, Department and Laboratory management officials launched\n\nseveral efforts to identify and correct control deficiencies that contributed to an environment in\n\nwhich classified information could be removed without authorization. In particular, the Deputy\n\nSecretary directed an immediate review of policies and practices related to computer ports at\n\n                                                 2\n\x0ceach of the Department\xe2\x80\x99s facilities. Further, the Secretary established two high-level Task\n\nForces to address our findings. The reports of the Secretary\xe2\x80\x99s Task Forces and a list of the\n\nproposed corrective actions were provided to my office last week.\n\n\n\nThe report from the Department\xe2\x80\x99s Committee to Review the Cyber Security-related\n\nRecommendations indicated concurrence with the OIG\xe2\x80\x99s report and specified that the\n\nDepartment had initiated corrective actions that involved revising policy, securing unneeded\n\nports, limiting access and privileges, and maintaining separation of duties. The report also\n\nindicated that controls over security planning and accreditation and physical inspections were to\n\nbe strengthened and that corrective actions would be tracked to resolution.\n\n\n\nThe Personnel Security Program Review Task Force analyzed the OIG report and agreed that\n\nthere were personnel security program weaknesses. The Task Force addressed the security\n\nclearance issues raised in our November 2006 report. Specifically, it identified and developed\n\nrecommendations for improving Department-wide training, policy, quality assurance and\n\noversight, and organizational structure. Additional details are contained in the Task Force\xe2\x80\x99s\n\nreport, which has been marked by the Department as \xe2\x80\x9cOfficial Use Only.\xe2\x80\x9d\n\n\n\nMany of the corrective actions outlined by the two Task Forces are in progress. However,\n\nimplementation and execution are key. If properly carried out, the corrective actions should\n\nimprove classified operations at Los Alamos and could help prevent similar incidents at\n\nDepartmental facilities around the complex.\n\n\n\n\n                                                3\n\x0cIssues Requiring Continuing Attention\n\nAs I have testified on several occasions, the Department must do a better job addressing the\n\nrecurring challenges it faces. Specifically:\n\n\n    1. With regard to the current matter, the Department must ensure that all actions and\n\n        recommendations outlined in the Task Force Reports are formalized into policy and\n\n        adopted as practice throughout the Department. As part of that effort, these policies\n\n        should be incorporated into all facility contracts.\n\n\n    2. To achieve the recommended reforms, the Department must establish firm schedules\n\n        with specific implementation timelines and performance metrics.\n\n\n    3. Both Federal and contractor officials need to manage more aggressively. As part of that\n\n        process, the Department needs to ensure that its Federal contract management function is\n\n        adequately staffed and that the skill mix is appropriate. In addition, Department and\n\n        Laboratory officials must develop a more comprehensive regimen of compliance testing\n\n        and follow-up to ensure that security policies and procedures are rigorously followed.\n\n\n    4. Individuals and institutions, both Federal and contractor, must be held accountable for\n\n        failure to follow established security measures. As it has begun to do in its response to\n\n        the recent Los Alamos incident, the Department should emphasize that the failure to\n\n        properly protect classified information and materials will have meaningful\n\n        consequences.\n\n\n\n\n                                                  4\n\x0cFinally, consistent with our November 2006 recommendation, we continue to believe that the\n\nDepartment should perform a risk-based evaluation of cyber security funding at Los Alamos.\n\nThe objective of this evaluation would be to ensure that the resources are available for complete\n\nimplementation of the revised cyber security policies and procedures.\n\n\n\nOngoing Inspector General Efforts\n\nFor the past five years, we have identified both cyber and physical security as pressing\n\nmanagement challenges. For these reasons, and because of the recent incidents, the Office of\n\nInspector General continues to be concerned about security across the complex. We have\n\nongoing activities to examine information technology and systems security; implementation of\n\nrevised security measures; disposal of sensitive property; and, issues related to protective force\n\ntraining.\n\n\n\nIn addition to our on-going work, the full Committee, in January 2007, requested that the\n\nGovernment Accountability Office (GAO) examine the security of the Department\xe2\x80\x99s unclassified\n\nand classified information networks and its cyber security programs. My office coordinates\n\nclosely with GAO on reviews of the Department, and we believe that the assessment requested\n\nby the Committee will lead to a strengthened agency-wide security posture. My office will\n\ncontinue to conduct audit, inspection, and investigative work that will complement the review\n\nrequested by the Committee.\n\n\n\nMr. Chairman, this concludes my statement and I would be pleased to answer any questions you\n\nmay have.\n\n\n\n\n                                                 5\n\x0c'